Posts

Do you have a nagging sense that Facebook isn’t always straight with you about how they share your personal information, photos, posts, friend lists, networks, likes and surfing habits? That they are selling your data in ways that you have never even imagined?

Your instincts are dead on. Facebook has been saying one thing to our faces and doing another behind our backs. Facebook is in pre-IPO mode and has the propaganda machine running overtime like Big Brother at an Animal Farm.

Enter the Federal Trade Commission (FTC). The FTC just released a formal complaint identifying eight counts against Facebook for violating the Federal Trade Commission Act. The FTC confirmed what we’ve always known: Facebook tells us what they think we want to hear, not necessarily the truth. Here are the details of Facebook’s dishonesty:

Under the guise of increasing user privacy, Facebook has consistentlyprovided their advertisers with ever-expanding access to sensitive user information, not less.

Contrary to Facebook’s marketing machine, user profiles are assigned a unique User ID that allows applications (e.g. Farmville) to track us as individuals, not as anonymous, aggregated members of a group.

Even if you restrict all applications’ access to your data, your friends can install applications that allow Facebook to expose your personal information without your consent or knowledge.

When a user deletes their account, Facebook will remove the user’s profile, but they do not remove the private data associated with the profile upon deletion. It remains stored on Facebook-managed servers, foreveravailable to vendors, advertisers and applications.

Worst of all, the FTC confirms that anytime Facebook makes updates to the website, a user’s personal security settings are lost and must be re-set because prior settings have been “overridden” by the updates. In other words, all of the time and work you put into customizing your privacy and security settings are lost anytime Facebook adds or tweaks a feature.

Within every count in the complaint about Facebook’s business practices, the FTC used one or more of the following “qualifiers”: False or misleading representation, Deceptive act or practice, Unfair act or practice, Contrary to the statements made…

But Facebook hasn’t just violated a law imposed by the FTC, they have violated the trust of their profit-makers, all of us, the users. At the most basic level, Facebook has failed 6-7 clear litmus tests of trust leadership. Here are three of their biggest violations:

Transparency – the right of those on the outside (users) to know what those on the inside (Facebook, application developers, law enforcement) know about us. Users know nothing, and in fact, it often seems that Facebook employees don’t know how the ‘engine on the inside’ works.

Expectation – the reasonable assumption that Facebook honestly tells us how our data is being collected, aggregated, used and sold. As shown by the FTC complaint, they are doing no such thing.

Respect – the most basic component of customer service, which says that users should be treated as stakeholders in the company, not as naive profit-centers who donate their data, for free, as endless inventory to be packaged and sold to multiple bidders.

The FTC reveals an arrogant Facebook, an organization that has systematically exempted itself from the rules, because of it’s size, it’s wunderkind story and our obsession with comparing our lives to others’. With an IPO expected early next year, it’s feared Facebook will tell the FTC what they think it wants to hear, once again, protecting their bottom-line at any cost.

Ultimately, if Facebook continues to ignore the elephant in the room, all stakeholders (including stock holders) will divest their investment and delete their profiles and we will start to speak of Facebook like we do MySpace. Of course, Facebook is too successful right now to fathom that outcome.

John Sileo is a leadership speaker on deception and trust, including: social media privacy, trust leadership and identity theft. His clients include the Department of Defense, Experian, Homeland Security Pfizer and the FDIC. Contact him on 800.258.8076.

Can social media and privacy mix? The short answer is no. Social media is social by nature (meaning others are involved) and is media based (meaning that the materials are designed to be easily communicated and shared). When something is essentially named Share with Others, privacy is an afterthought. But that doesn’t mean it should be completely non-existant, or at least transparent – so that we know what we are sharing with others.

The FTC (Federal Trade Commission) is about to hold Facebook to stronger safeguards regarding user privacy, but in the end, it won’t matter very much because they are leaving Facebook with lots of wiggle room.

Rumor has it that Facebook will soon have to acquire users’ consent before making changes to privacy policies that affect current user data. That is a total contrast to what they’ve done in the past, which is to rewrite their privacy policies to be less protective without so much as giving users a whiff of the changes to their privacy.

It looks like Facebook, much like happened recently with Google, may have to submit to independent privacy audits annually over the next 20 years. At issue is the fact that the settlement will prohibit Facebook from making information that’s already on the site available to a wider audience without user consent.

Here’s the rub: the ruling doesn’t affect any new features that Facebook adds to their service in the future. It’s likely going to be a retroactive slap on the wrist for rolling back user privacy in 2009.

Privacy is paramount. Dozens of privacy bills have been submitted to Congress this year alone. The Obama administration has called for a “privacy bill of rights” and the FTC last year called for the development of a “do not track” system that would make it easier for Internet users to protect their browsing habits.

Privacy settings and unannounced changes have challenged the reputation of Facebook. It’s not entirely clear if these privacy-settings guidelines are being implemented in the best interest of the end-user, or if Facebook is trying to bolster their privacy concerns, and user reception, in preparation for a pending IPO in April 2012.

John Sileo speaks on social media exposure and corporate risk. Learn more at www.ThinkLikeASpy.com.

According to the Federal Trade Commission, Identity Theft still tops the annual list of consumer complaints. The list was released last Tuesday and Identity Theft was #1 for the 11th year in a row with more than 250,000 complaints. Identity theft accounts for 19% of all consumer complaints received by the FTC last year.

Why is this such a lingering, time-tested problem? Because most people, most businesses, read about it being such a terrible problem, and then go off an do little about it. Corporations fail to train their employees on personal identity theft, and that lack of skill and prevention framework seeps into the workplace. This, in turn, leads to the loss of more data, customer records, employee files and intellectual capital.

The report also states that the Miami-Ft. Lauderdale, Fla. area ranks #1 in the nation for identity theft complaints per capita. Number 2 on that list is Brownsville, Texas followed by Dunn, N.C.

The 10 top consumer complaints nationally in 2010 were:

Identity theft

Debt collection

Internet services

Prizes, sweepstakes and lotteries

Shop-at-home and catalog sales

Impostor scams

Internet auctions

Foreign money, counterfeit check scams

Telephone and mobile services

Credit cards

I’m betting that next year we will be celebrating the 12th consecutive year when identity theft is the leading thorn in the consumer’s side – but the fault is no one’s but those who fail to take action.

According to a recent New York Times article, the government may be creating a department solely dedicated to strenghthening privacy policies within the United States and other countries. A recent report details why such a force is necessary. Although this new office would lack enforcement authority, they would work directly with the administration and necessary agencies to attack and solve privacy issues.

“America needs a robust privacy framework that preserves consumer trust in the evolving Internet economy while ensuring the Web remains a platform for innovation, jobs and economic growth,” the Secretary of the Commerce, Gary F. Locke, said in a statement. “Self-regulation without stronger enforcement is not enough. Consumers must trust the Internet in order for businesses to succeed online.”

The policy task force already suggested we make visible exactly what information is collected online through a “Privacy Bill of Rights.” Companies that collect this information will then have increased accountability and limits on what they can do with information collected.

The FTC would remain in charge of consumer privacy issues, but privacy concerns extend beyond borders and need to be handled with other countries. Information gathered from a 2009 study by the Interactive Advertising Bureau found that Internet advertising is responsible for approximately $300 billion of economic activity a year.

In the past, the FTC has called for improvements to online privacy policies by corporations. They have lobbied to give consumers the option of a “Do Not Track” button so third-party companies don’t have access to their information.

The more that internet users realize how much of their personal information is readily available to companies and advertisers, the more they want to put a stop to third-party tracking. Hopefully, such a task force can protect our privacy, while still giving us the ability to freely search the web.

John Sileo is the award-winning author of two identity theft prevention books, Stolen Lives and Privacy Means Profit(Wiley, August 2010) and America’s top Identity Theft Speaker. His clients include the Department of Defense, FTC, FDIC and Pfizer; his recent media appearances include 60 Minutes. Contact him on 800.258.8076.

The FTC just busted a long-running internet scam where offshore thieves set up virtual companies and stole millions of dollars from US consumers one small charge at a time.

“It was a very patient scam,” said Steve Wernikoff, a staff attorney with the FTC who is prosecuting the case. According to him, the scammers found loopholes in the credit card processing system that allowed them to set up fake U.S. companies that then ran more than a million phony credit card transactions through legitimate credit card processing companies.

The fraudsters were able to fly under the radar for so long because they only charged consumers between $ .25 and $9 and set up over 100 fake companies to pull off these transactions. In this specific case they charged over 1.35 million credit cards a total of $9.5 million dollars – those nickles and dimes really add up! Shockingly, 94% of these charges went undetected by the credit card holder because they didn’t notice an unusual charge on their credit card statements and fraud detection agencies rarely detect anything under $10.

With more and more credit cards being accepted for smaller purchases (e.g., soda machines and parking meters) thieves have taken this opportunity to cash in on the frequency of these charges. While 6% of the charges were detected and reported, the huge number that didn’t even realize they had an unauthorized charge shows how lax we are about checking our statements. Here are some simple steps you can take to catch fraud early:

Set up automatic account alerts to monitor your daily credit card purchases. That way, anytime money is spent on the card, you receive an email or SMS text to your phone alerting you to the charge. If you didn’t use your credit card, you immediately know it’s a fraud and you can call and shut down your card.

If you aren’t sure about a charge, call the bank and ask them to confirm it is a legitimate charge.

Sign up for an identity monitoring service that can help with this. Although these victims only lost a few dollars here and there those small charges can add up – to the scammers it added up to $9.5 million!

John Sileo became America’s leading Identity Theft Speaker & Expert after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer, the FTC and the FDIC. To learn more about having him speak at your next meeting or conference, contact him by email or on 800.258.8076.

The FTC will begin enforcing the Red Flag Rule on June 1st, which states that certain businesses and creditors must help fight identity theft as well as create an identity theft prevention plan. This applies to a very broad class of businesses: those defined as “financial institutions” and those that extend any type of credit to their customers.

In other words, if you don’t receive cash the moment you deliver your product or service to your customer, your business most likely falls under the umbrella of the Red Flags Rule. If you do any billing after the fact (i.e., accounts receivable), you are considered a creditor, and therefore in the group of companies governed by Red Flags.

Building an Identity Theft Prevention Plan

According to the FTC, the identity theft prevention plan consists of four main parts:

Identification: The plan needs to provide a process to identify patterns, activities or transactions (i.e. red flags, hence the name) that appear to be leading to identity theft.

Detection: The plan needs to specifically call out processes and procedures that will be used to detect the previously defined red flags.

Response: The plan needs to include a process of responding to red flags as they are detected.

Revision: The plan should specify the process the organization will use to periodically update sections 1-3 as the threat landscape changes

The plan must cover how your organization will ensure that any company to which you are outsourcing to will be compliant. Every organization’s senior employees or board of directors must approve the initial plan and train the appropriate employees.

The FTC has also identified five main categories that an organization’s Red Flags might fall under. They are:

Alerts, notifications, or warnings from a consumer reporting agency.

Suspicious documents.

Suspicious personally identifying information (PII).

Suspicious activity relating to a covered account.

Notices from customers, victims of identity theft, law enforcement authorities, or other entities about possible identity theft in connection with covered accounts.

As with any new plan or program there will be bumps in the road. The FTC won’t be actively auditing organizations, but it will be investigating on the basis of reported issues, and the costs of being found non-compliant can be staggering. Since most older and more mature organizations already have an Identity Theft Prevention Program in place, it won’t be a huge change. We have already begun to see a connection between the Red Flags Rule and a decrease in the ease with which identities are stolen out of businesses. Hopefully, this trend will continue.

In the meantime, you should get started on designing and implementing your identity theft prevention plan. For help understanding the process and other privacy issues that your and your business face, attend the Privacy Survival Boot Camp for Small Businesses hosted by John Sileo, America’s Top Identity Theft Expert.

How long has it been since you wore a white belt in your area of expertise?

I just had the singular honor of delivering an identity theft speech for the Federal Trade Commission in Washington, D.C. In case you don’t understand the humorous irony, let me explain.

The FTC is the arm of the U.S. Government that is responsible for educating you and me about our rights as consumer, including how to fight identity theft. In other words, they are the original identity theft experts! Those of us who are professional identity theft speakers turn to the FTC for information, guidance and materials.

So why did they pay my fee to talk about a subject they know so much about?

Perspective.

Let me use a Taekwondo metaphor to explain what I mean. In many martial arts programs, one level before achieving your black belt, the Master teacher asks the candidate to again wear their white belt to signify that the student is returning to the state of a beginner. The ritual is a symbolic reminder that we only grow and evolve when we are humble enough to admit how much we don’t know. It is related to the Zen principle of viewing life through the eyes of an ever-learning child.

Speaking to the FTC was a mutual act of humility – an admission that neither of us “experts” have it totally figured out. If we did, identity theft would no longer be the fastest growing crime in America. From the FTC, I learned a great deal about the education and regulation process: where we are failing in our efforts and where we must focus our energy. From me, the FTC hopefully has a living, breathing reminder of how drastically this crime can affect a human life as well as some broader skills on how to prevent fraud inside of corporations. We shared our different perspectives, and for that, we are both closer to our goals.

Shedding the black belts of expertise that we work so hard to craft for the more vulnerable and open-minded symbols of rank isn’t easy, but neither is becoming a true black belt. You see, earning a black belt isn’t about the belt, it’s about your ability to act with integrity even when no color, no reward, is involved. In an act of cooperation, let me share the wise resources of my fellow students and teachers at the FTC:

If you are interested in having John Sileo conduct fraud training and social engineering workshops for your organization, contact him directly on 1.800.258.8076. His satisfied clients include the Department of Defense, the FDIC, Pfizer and the Federal Reserve Bank.

The Federal Trade Commission and 35 state attorneys general filed a complaint against the company that “charged that the company used false claims to promote its identity theft protection services,” according to a March 9th FTC press release. LifeLock will be responsible for paying the FTC $11 million dollars as well as an additional $1 million to the 35 state attorneys general.

To clarify a couple of points that aren’t currently being covered by the media:

LifeLock did make misleading claims about how completely their product protected individuals, but to their credit, they toned those claims down considerably starting about a year ago. In essence then, the ruling pertains to LifeLock of old, not the current company, marketing materials or product offering.

At about the same time as they changed advertising, LifeLock began adding features to its product that bolstered the quality of its monitoring services.

If LifeLock continues to support and bolster the “engine” underneath its product (namely, the sophisticated identity monitoring services that it has already started adding), it will serve as a very worthwhile product in the identity monitoring space.

Here are a few of the charges in the FTC’s complaint that were in the press release:

The fraud alerts that LifeLock placed on customers’ credit files protected only against certain forms of identity theft and gave them no protection against the misuse of existing accounts, the most common type of identity theft.

LifeLock allegedly provided no protection against medical identity theft or employment identity theft, in which thieves use personal information to get medical care or apply for jobs.

LifeLock claimed that it would prevent unauthorized changes to customers’ address information, that it constantly monitored activity on customer credit reports, and that it would ensure that a customer always would receive a telephone call from a potential creditor before a new account was opened. The FTC charged that those claims were false.

LifeLock allegedly made claims about its own data security that were not true. According to the FTC, LifeLock routinely collected sensitive information from its customers, including their social security numbers and credit card numbers.

LifeLock’s data was not encrypted, and sensitive consumer information was not shared only on a “need to know” basis. In fact, the agency charged, the company’s data system was vulnerable and could have been exploited by those seeking access to customer information.

The $11 million that Lifelock is paying the FTC will be used to refund customers that were affected by these practices of Lifelock. Letters will be sent to current and former customers who might be eligible for financial refunds under this settlement. Any customers who think they may be involved in this settlement can recieve up to date information at 202-326-3757 and at Ftc.gov/lifelock.”

John Sileo became America’s leading Identity Theft Speaker & Expert after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer and the FDIC. To bring John in for your next meeting or conference, please contact him directly on 1.800.258.8076.